Filtering event logs
Hi guys,
could You please share experience on filtering windows event logs.
I have the folowing configuration in input tag:
Query <QueryList>\
<Query Id="0">\
<Select Path="Application">*</Select>\
<Select Path="System">*</Select>\
<Select Path="Security">*</Select>\
</Query>\
</QueryList>
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
#Exec if ($raw_event =~ /INFO\s+62464/) drop();
# Query za event logove (uzima samo definirane)
#Query <QueryList>\
#<Query Id='1'>\
#<Select Path='Application'>*[System[(EventID='32068')]]</Select>\
#<Select Path='System'>*[System[(EventID='7001')]]</Select>\
#</Query>\
#</QueryList>
## Level 1 (ID=30  Critical)     severity level events
# Level 2 (ID=40  Error)        severity level events
# Level 3 (ID=50  Warning)      severity level events
# Level 4 (ID=80  Information)  severity level events
# Level 5 (ID=100 Verbose)      severity level events
# Drop 4, i 5 level severity logs
Exec if ($EventType == 'VERBOSE') OR ($EventType == 'Verbose') drop();
Exec if ($EventType == 'INFORMATION') OR ($EventType == 'Information') drop();
Exec if $raw_event =~ /INFO\s+4648/ drop();
..
I planed to filter specific events by entering name of 'eventtype' as in the example above. I would like to filter all Verbose,Information, and Warning levels. This unfortunately doesnt filter security INFORMATION level.
Could You please please give proper example of filtering logs by severity and by specific event_ID?
Thank you very much.
Appreciate the help.
